Ways Financial Advisors Can Reduce Cyber Liability
Whether the financial firm is a large business with hundreds of employees or a small investment advisor with less than ten employees, a proper data security plan should be implemented. The entire firm must be committed to the plan and work to initiate and follow through with the data security measures. A proper plan will identify and address the following issues.
(1) Data Risk Assessment
A financial advisor should begin by conducting a thorough risk assessment of its data storage and security system. Surveys and data mapping should be conducted to determine what data is on the firm's computer servers and how the systems are protected. C-Suite executives, IT, Legal and HR must all be part of the assessment to ensure the company understands the full extent of its data use, storage and risk.
(2) Purge Old Data
Financial firms collect a tremendous amount of electronic data – all of which contains Personally Identifiable Information (PII). Firms must implement security protocols to delete, destroy or securely archive old data. A data breach can be a significant issue for a business but when a breach involves decades of old data it can be devastating. A proper plan to purge and delete old data is essential to reducing liabilities.
(3) Encrypt Electronic Data
Computer systems that store clients' PII, including servers, desktop computers and tablets, must be encrypted. While encryption is not a guarantee to prevent a data breach, most states' data breach statutes have safe harbor exemptions that will limit a company's liability if the entity can demonstrate lost or stolen data was encrypted.
(4) Prepare for a Data Breach Response
After a company has conducted a risk assessment and improved its security, a proper response plan should be drafted and practiced. IT staff should conduct regular meetings to ensure data security remains a priority and protocols are being followed. Management should ensure that vendors are complying with the company's data security policies and procedures.
(5) Cyber and Data Breach Insurance Should be Obtained
Even the best plans and procedures cannot prevent all data breaches from occurring. Hackers are constantly probing computer systems to exploit weaknesses. Human error will inevitably lead to missing laptops and malware infiltrating systems. In the event of such likely circumstances, a cyber insurance policy provides a business with protection and coverage for a variety of data breach related events. Cyber insurance can now cover business interruption, cyber ransom and first and third-party liability. Additional benefits include immediate access to experienced forensic and legal professionals to investigate and coordinate an immediate response to a data breach.
Conclusion
The heightened climate conducive to data breaches and the SEC's renewed emphasis on data security are strong reasons for financial advisors and firms to develop programs and policies that minimize the threat and related damages associated with a data breach. By treating data security as the "massive" risk that it is, an investment advisor can reduce exposures to devastating and costly liabilities.
David J. Shannon, Esq., and Joel M. Wertman, Esq., are shareholders in the Philadelphia office of civil defense litigation firm, Marshall Dennehey Warner Coleman & Goggin. As co-chair of the Privacy & Data Security Practice Group, David focuses his practice on privacy law, data breaches, IP, copyright infringement and technology litigation matters. Joel Wertman is a member of the firm's Securities & Investment Professional Liability Practice Group and concentrates on disputes in the securities, insurance and real estate industries. The authors may be reached, respectively, at [email protected] or [email protected].